I use below command for creating a new chef vault- knife vault create -A -M client -S 'name:' -J
My question is how can I give access of this chef vault to multiple nodes?
Also, what are the different ways, this access can be granted ? (can be via node names, role names etc). I need to know the commands for the search query
On
Giving access to a vault-item to multiple nodes/clients can be achieved using -C, --clients CLIENTS option, where CLIENTS is the comma-separated list of the clients.
e.g.:
knife vault create <vault> <item> -C "client1,client2,client3,... ,clientN" -J <json_file_for_item>
As per the CHEF-vault reference.
The argument to
-Sis a Chef search query, which is normally used to select which nodes should be given access.name:is not a valid query, but it's hard to tell if you meant that literally. You can also use the-Aflag (which, again, is used incorrectly above) to add individual users or clients by name (I know it says--adminsbut it works with node names too).As an infosec practitioner I am also obligated to warn you that use of the
-Ssearch query option can be unsafe under certain attack models. Specifically a compromised node can change its own attributes such that the next time someone runs a vault refresh, the node is incorrectly given access. This isn't the worst of all possible security holes but just be aware of it.